To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

The creators behind the Sigrun ransomware seem to be favoring Russian victims infected by their malicious code, security researchers have discovered. The author of the Sigrun ransomware has been found providing free decryption for Russian victims, while demanding a ransom payment of $2500 in Bitcoin or Dash for others.

This notable trend was first discovered and reported on Twitter by security researcher Alex Svirid who specializes in analyzing ransomware weaknesses. Malwarebytes security researcher S!Ri later replied to Svirid's tweet with email proof illustrating the malware author’s intentions not to harm Russian victims.

While one email featured conversations between the ransomware author and a US-based victim, a second included the conversation with a Russian victim.

“You do not have to pay,” the ransomware author wrote to the Russian victim. “I’ll just help you.”

Russian malware authors usually program their malicious codes to avoid infecting Russian-speaking victims to evade detection by authorities. In fact, the Sigrun ransomware, when executed, immediately looks to detect the keyboard layout. If a Russian layout is detected, it will not encrypt the system and deletes itself. However, if a Russian victim does not happen to be using a Russian keyboard layout, they could find themselves accidentally infected by the ransomware.

Sigrun will scan the entire computer for files to encrypt and skip certain files, extensions and filenames. Encrypted files are appended with the extension .sigrun. The malware also displays two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each encrypted folder. The ransom note contains information about the attack and the email ID to be used by the victim to get further instructions regarding payment and decryption.

Ransom note (Image credit : Bleeping computer)

The author behind Sigrun told Bleeping Computer that he is “not from former USSR republics.”

"I added it because of my Belarus partners" he claimed,according to Bleeping Computer reports."Ukrainian users don't use Russian layout because of political reasons. So we decided to help them if they was infected. We have already added avoiding Ukrainian layout like was in Sage ransomware before."

Sigrun ransomware currently cannot be decrypted for free without help from the authors themselves, if you happen to be a Russian victim.

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.